# UNC6692 Deploys 'Snow' Malware Suite via Microsoft Teams  A threat group tracked as UNC6692 is using social engineering to deploy a new, custom malware suite named “Snow,” which includes a browser extension, a tunneler, and a backdoor. Their ultimate goal is to steal sensitive data after achieving deep network compromise through credential theft and domain takeover. According to **Google’s Mandiant** researchers, the attackers employ “email bombing” tactics to create a sense of urgency, then contact targets via **Microsoft Teams**, posing as IT helpdesk agents. This tactic is becoming increasingly popular among cybercriminals, as highlighted in a recent **Microsoft** report, where attackers trick users into granting remote access via Quick Assist or other remote access tools. ## The 'Snow' Malware Components In the UNC6692 campaign, victims are prompted to click a link to install a supposed patch designed to block email spam. Instead, they receive a dropper that executes **AutoHotkey** scripts, loading 'SnowBelt,' a malicious Chrome extension.  The extension operates within a headless **Microsoft Edge** instance, remaining unnoticed by the user. Scheduled tasks and a startup folder shortcut are also created to ensure persistence. 'SnowBelt' serves as a persistence mechanism and a relay for commands sent by the attacker to a Python-based backdoor named 'SnowBasin.' Commands are delivered through a **WebSocket** tunnel established by a tunneler tool called 'SnowGlaze,' masking communications between the host and the command-and-control (C2) infrastructure. 'SnowGlaze' also facilitates **SOCKS** proxy operations, allowing arbitrary TCP traffic to be routed through the infected host. 'SnowBasin' runs a local **HTTP** server and executes attacker-supplied CMD or **PowerShell** commands on the infected system, relaying the results back to the operator through the same pipeline. The malware supports remote shell access, data exfiltration, file download, screenshot capturing, and basic file management operations. The operator can also issue a self-termination command to shut down the backdoor on the host.  ## Post-Compromise Activities **Mandiant** has observed that, post-compromise, the attackers perform internal reconnaissance, scanning for services such as **SMB** and **RDP** to identify additional targets, and then move laterally within the network. The attackers dump **LSASS** memory to extract credential material and use pass-the-hash techniques to authenticate to additional hosts, eventually gaining access to domain controllers. At the final stage of the attack, the threat actor deploys **FTK Imager** to extract the **Active Directory** database, along with SYSTEM, SAM, and SECURITY registry hives. These files are exfiltrated from the network using **LimeWire**, granting the attackers access to sensitive credential data across the domain.  The report provides extensive indicators of compromise (IoCs) and also **YARA** rules to help detect the “Snow” toolset.